From 9e538f25042d9c2d7c34122c58e8c3bd764200bd Mon Sep 17 00:00:00 2001 From: Jamie Phillips Date: Mon, 23 May 2022 09:35:46 -0400 Subject: [PATCH] Fixing the integration tests for helm chart. This PR makes tweaks and fixes some assumptions that prevented the integration test from actually working. This also adds a latest chart. --- admission-webhook/make/helm.mk | 13 +- admission-webhook/run-ci.sh | 23 ++-- charts/index.yaml | 21 +++- charts/latest/gmsa-0.4.1.tgz | Bin 0 -> 3837 bytes charts/latest/gmsa/Chart.yaml | 13 ++ charts/latest/gmsa/app-readme.md | 9 ++ charts/latest/gmsa/templates/_helpers.tpl | 46 +++++++ charts/latest/gmsa/templates/clusterrole.yaml | 16 +++ .../gmsa/templates/clusterrolebinding.yaml | 15 +++ charts/latest/gmsa/templates/crds/crds.yaml | 119 ++++++++++++++++++ .../latest/gmsa/templates/credentialspec.yaml | 24 ++++ charts/latest/gmsa/templates/deployment.yaml | 68 ++++++++++ charts/latest/gmsa/templates/issuer.yaml | 26 ++++ .../gmsa/templates/mutatingwebhook.yaml | 34 +++++ charts/latest/gmsa/templates/service.yaml | 13 ++ .../latest/gmsa/templates/serviceaccount.yaml | 8 ++ .../gmsa/templates/validatingwebhook.yaml | 34 +++++ charts/latest/gmsa/values.yaml | 34 +++++ 18 files changed, 501 insertions(+), 15 deletions(-) create mode 100644 charts/latest/gmsa-0.4.1.tgz create mode 100644 charts/latest/gmsa/Chart.yaml create mode 100644 charts/latest/gmsa/app-readme.md create mode 100644 charts/latest/gmsa/templates/_helpers.tpl create mode 100644 charts/latest/gmsa/templates/clusterrole.yaml create mode 100644 charts/latest/gmsa/templates/clusterrolebinding.yaml create mode 100644 charts/latest/gmsa/templates/crds/crds.yaml create mode 100644 charts/latest/gmsa/templates/credentialspec.yaml create mode 100644 charts/latest/gmsa/templates/deployment.yaml create mode 100644 charts/latest/gmsa/templates/issuer.yaml create mode 100644 charts/latest/gmsa/templates/mutatingwebhook.yaml create mode 100644 charts/latest/gmsa/templates/service.yaml create mode 100644 charts/latest/gmsa/templates/serviceaccount.yaml create mode 100644 charts/latest/gmsa/templates/validatingwebhook.yaml create mode 100644 charts/latest/gmsa/values.yaml diff --git a/admission-webhook/make/helm.mk b/admission-webhook/make/helm.mk index c4bcf65b..84de0415 100644 --- a/admission-webhook/make/helm.mk +++ b/admission-webhook/make/helm.mk @@ -29,7 +29,7 @@ deploy_chart: install-helm # removes the chart from the kind cluster .PHONY: remove_chart remove_chart: - KUBECONFIG=$(KUBECONFIG) $(HELM) uninstall $(DEPLOYMENT_NAME) + KUBECONFIG=$(KUBECONFIG) $(HELM) uninstall $(DEPLOYMENT_NAME) --namespace $(NAMESPACE) # deploys the webhook to the kind cluster using helm # if $K8S_GMSA_DEPLOY_METHOD is set to "download", then it will deploy by downloading @@ -37,21 +37,24 @@ remove_chart: # $K8S_GMSA_DEPLOY_CHART_VERSION env variables to build the download URL. If VERSION is # not set then latest is used. .PHONY: _deploy_chart -_deploy_chart: _deploy_certmanager +_deploy_chart: _start_cluster_if_not_running _deploy_certmanager ifeq ($(K8S_GMSA_CHART),) @ echo "Cannot call target $@ without setting K8S_GMSA_CHART" exit 1 endif - mkdir -p $(dir $(MANIFESTS_FILE)) @ echo "installing helm deployment $(DEPLOYMENT_NAME) with chart $(K8S_GMSA_CHART) and image $(IMAGE_REPO):$(VERSION)" + KUBECONFIG=$(KUBECONFIG) $(KUBECTL) create namespace $(NAMESPACE) KUBECONFIG=$(KUBECONFIG) $(HELM) version - KUBECONFIG=$(KUBECONFIG) $(HELM) install $(DEPLOYMENT_NAME) --set image.repository=$(IMAGE_REPO) --set image.tag=$(VERSION) $(K8S_GMSA_CHART) + KUBECONFIG=$(KUBECONFIG) $(HELM) install $(DEPLOYMENT_NAME) $(K8S_GMSA_CHART) --namespace $(NAMESPACE) + KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n $(NAMESPACE) pod -l app=$(DEPLOYMENT_NAME) --for=condition=Ready .PHONY: _deploy_certmanager _deploy_certmanager: remove_certmanager KUBECONFIG=$(KUBECONFIG) $(KUBECTL) create namespace cert-manager KUBECONFIG=$(KUBECONFIG) $(KUBECTL) apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml - + KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n cert-manager pod -l app=cainjector --for=condition=Ready + KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n cert-manager pod -l app=webhook --for=condition=Ready + .PHONY: remove_certmanager remove_certmanager: KUBECONFIG=$(KUBECONFIG) $(KUBECTL) delete namespace cert-manager || true diff --git a/admission-webhook/run-ci.sh b/admission-webhook/run-ci.sh index 6f268da4..02fc73f8 100755 --- a/admission-webhook/run-ci.sh +++ b/admission-webhook/run-ci.sh @@ -10,6 +10,10 @@ export CLUSTER_NAME="windows-gmsa-$GITHUB_JOB" export KUBECTL="$GITHUB_WORKSPACE/admission-webhook/dev/kubectl-$CLUSTER_NAME" export KUBECONFIG="$GITHUB_WORKSPACE/admission-webhook/dev/kubeconfig-$CLUSTER_NAME" +if [-z "${CHART_VERSION}"]; then + CHART_VERSION="latest" +fi + main() { case "$T" in unit) @@ -46,17 +50,17 @@ run_integration_tests() { export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$(git rev-parse HEAD)" echo "Running: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV" fi - fi - - if [[ "$DEPLOY_METHOD" == 'chart' ]]; then + elif [[ "$DEPLOY_METHOD" == 'chart' ]]; then export K8S_GMSA_DEPLOY_METHOD='chart' - + echo "deploy method: $K8S_GMSA_DEPLOY_METHOD" if [ "$GITHUB_HEAD_REF" ]; then # GITHUB_HEAD_REF is only set if it's a pull request # Similar logic goes here, but installs the chart using the repo. export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="$GITHUB_REPOSITORY" export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$GITHUB_SHA" echo "Running pull request: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV" + + export K8S_GMSA_CHART="$GITHUB_WORKSPACE/charts/$CHART_VERSION/gmsa" else # not a pull request # Installs the chart using the local copy. @@ -64,9 +68,7 @@ run_integration_tests() { export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$(git rev-parse HEAD)" echo "Running: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV" - export K8S_GMSA_CHART=$GITHUB_WORKSPACE/charts/v0.4.0/gmsa - make integration_tests_chart - exit + export K8S_GMSA_CHART="$GITHUB_WORKSPACE/charts/$CHART_VERSION/gmsa" fi fi @@ -95,7 +97,12 @@ run_integration_tests() { exit 1 fi else - make integration_tests + if [[ "$DEPLOY_METHOD" == 'download' ]]; then + make integration_tests + fi + if [[ "$DEPLOY_METHOD" == 'chart' ]]; then + make integration_tests_chart + fi fi } diff --git a/charts/index.yaml b/charts/index.yaml index c7adafb4..e95f6077 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -3,7 +3,24 @@ entries: gmsa: - apiVersion: v2 appVersion: 0.4.0 - created: "2022-04-10T13:16:01.700697-04:00" + created: "2022-05-25T10:13:21.364962697-04:00" + description: Windows GMSA Configuration + digest: 0316e3e42d32faf3ff426bf8b603c16f6e141550bb341e397ba68b2310840ea1 + keywords: + - Windows + - Windows GMSA + - GMSA + - Active Directory + name: gmsa + sources: + - https://github.com/kubernetes-sigs/windows-gmsa + type: application + urls: + - latest/gmsa-0.4.1.tgz + version: 0.4.1 + - apiVersion: v2 + appVersion: 0.4.0 + created: "2022-05-25T10:13:21.366099651-04:00" description: Windows GMSA Configuration digest: 7f29d22ba85d90a18e5b9c4e1a7d9ba1149d5827a2ca37b9a6fe1966e3598767 keywords: @@ -18,4 +35,4 @@ entries: urls: - v0.4.0/gmsa-0.4.0.tgz version: 0.4.0 -generated: "2022-04-10T13:16:01.700137-04:00" +generated: "2022-05-25T10:13:21.364389967-04:00" diff --git a/charts/latest/gmsa-0.4.1.tgz b/charts/latest/gmsa-0.4.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..62520954eb55970295342692a347d2d76008f361 GIT binary patch literal 3837 zcmVDc zVQyr3R8em|NM&qo0PH<$bKADE`OIIjL$?#VC!!=vwtIEwesE+r_3er4vD}dIGG?#71T-3r z#%a54{%`2#<7TV<3L0O8nhK;+5%H?=*?m<9_Xh!z z&<`ji<#7il#~w+N{MSa%4jNvBG88mX=F>lD9Py75-o5XgLzl+`I!p!8W!?i$KXMVt zj#ta7&3-Zsyju3(d8p_F;erYb6&F)4CS&Y?-iw~(sR+@a87Y;>PQ5;)YLxbakdNyR zX&*(53S~{wp{#$j_-m%AnkLu*k|d0VmZ(W_EKTqCp6ss>4F69EOHqC?0kDSuo2RYQ zD*w06PWJr23kXptI?(*0c@9AT{+`5Sh(iAgZ~&Jv=`%DXFt$ZNV}(P@`2lo`C33`5 z7C|3@Fo7hR0*$32j9~;sff^w^d@mtnsZ=OT7ic<&I-o>~=1b1E{-hb41x?@6gj@{_ z5w!(G0F@9?Y4E%O5=9`94YZ7iF@lf;p-@0$=o5*jZ5VJdCQ1*NyiMbXVF&zY_K_xx zlgLz-5D`V-(020%6qBYu5=Z9e2b>-Ok!IWyLxJj=j8T)LXG6gbiE$*t}Zk>qeZ-s$BNJx#SIs#1Ae>R@;#4^$q@C(1twfltz9~L z;)7u*0?O-VRzG5Y#Q8)0;d`q&vJW1BBEt?$tm*?W*ltqBZaAaiv;$XzYp!ktN{p4~ z4H@s-#gJ2}aD0ISk}`FRLn@W-*!Mjz;ZYC6R8TeT@>t;~)q%$+PcHbTI77SFWCwoz z&D(*(GV)*HIAK}>)bB^g5)?8}$@Wyi8u{NoJv*+*|Mp31FaLJ}kB>Eoa6n@O-)`dj z$nN5M;kL04wWlXfSEK_7K3H49Zv9~4zR&9?g2rk9{b)PBDgp;~l;*b%JU&8T4@E`* zK0VcDUz~jm|Is3bkr2WEn-BiI4+VO2axYM!80+q4mbO+uWi2yDTCp@B33cPML;~ol z-{?B7$_EtC`5yq8Fsi^0X0u(???FMi2ic6x5Yho~0f#}CB&1InRTO1#eskrhmcfri zRw$#qK56<#aH!YdaH!yrVO*swxNjUm;|LD%-*8A{wXnQ-1cyUhQr^_&Dbp zMps(6jkm9rA7xQe77a6wCVgYS`ZEcg4gHXD{*Wf%i#`bhlBy9G^#82Mo==+(e%D&! zx16D`tt{U^I)X+neZR3bsTMCeM$@imzWWf|B10n4h)QF~E*3sB+xDoaP*}E7w)_a1 zd8xpEr&M4BhnXVjo`bd5ouv$~zm>1GA)Oo1_RBbx3h)z^YKbH)nBnvEAL(hxwU1u9 z0=+R;a5y6JC!FSU<7@lhKiUG}R056@HT`_D3kuY+)dI=`b8zwP!9}n8ic0QOvq7x~ zoa$OzT1IE*L-BO=fYUem@k-Cof5U*M`u7pSfHTHF(s&3DIF;Ek%l6cPZ{?aUH2|;@9w*ow|7@RTy@XyF7JQ1{rUZU@3MP)dAG0=Efcn5|5faN zcPtm2;r84?>-@iGC(Vlef70Ije|G~1hBTON)ue1MX+(XF*r?wV;yAQKFw_dw&Q0|ot4(vPdumN!O4G*{`f zw{;$C1HH($VC-6B`b$$vMC0KW#K1cKKRrIH@c-%AS#!_-yMP1G>ulNH3IJYY|JM>E ziU|!d_ub8L?OVH1z7FPfOyT&~(%Q2lI4?RMS9A+AGelRJHwLtf;0$kZpnI8@Vyn?- z48LNMcH#JQQ00FS*?+cq8MKD~&yHJF{og)2IotF9E}+P?B%%08VQkOZGk$eD-01sT zr-m-{X_T5v)_Hbbpa+Ap_SAe3$6PsQx8XXUB(z47MDPhl!R)42>%b29D{q7A7>`IC z;uvEk>q;Qj$3!z^{Q(nMmvmTj1k_Kz|F2r{+SvCrftrM&Wy?8AovX}|S#yId9P!O1 z1&T@O4hujkF31pPH#Fw91rve##8Igmj&Mvm?l%CQV0?aa^`X_P6ad(3Zf@jU;d3H* zqR%rZi)edW z0)I(^tVbdQnJ%e86^@rSUrX|4gj+DzU@OYA&ZH7r*DkNt3wiRnn119^xyf6;Ua;8& zY%=^CmJVtB?w6~JRfKOe0T$I&oTTdWadDwYpJ6u~W-{`nD7#~6DO)%Tt2g3`O}Mhp zi-q^Wix9k+=`P&m^2+V8VwNuoSI;lS@h+v&iyOb6zrB7bs_Vji_DgZ}o-ve}9@;klgFf0&Fd~6~zyS)3O_1$N+{#7Mc7>g}foWK?2AFXUzkCihh_8j*MBB8l zLPV~e=w$)9U-c+lz_adPLAZ0(JgQZf(_3cFWERMF=qOtxumz;EFl}R}Y>aZ4(#YV; zL%J83DjQ>4ywdB}xoFdD+*xJAF5R!a=gfz6(@_jIFNLB0-XeReP|^PpCX7$V7;iHj za9#X&5%c8ur2wMk%B5@M;+I z{PX1}3{y4d!O%E+ZpH3U%)1$Cb_p*(B?4vPx~*F40jC`(T@Kc{TzHb@2@0Y&2wcSr zE7-KhWyjzeFdCwzM0rV4mAlKvP>2v|z#JKf!Cg zo!lm0k=PNy(^Ek$n#RE_a|)iGI&;N}4B_eNb+yl8megFEN{uqf0!c(;l=4RKe#N6P zQYv|ea}GA+!^RH$cz1WxtGbAZ8g-yPLc-LjTE?^Nj?54!CXtoN(se7FqXw0vv&}F~ zI7`R)eu0NLTT{iVTX?K%-uewYwG*iN|CXf-7QKNb+hS>^qP8uv(6JfTje|c+hlxcQ8J~Te zaK4n>5ww7gU|H9JoP;lI7PuJezyxu70G8)mG--B+a%Dc6536SB`TC_+t37`K9W`Ii z+DT-Co_XBCB+mbN{WD)0D)N7vDxzpSbm8CIQ3UJme;Tc7{{QLm+3{Zf?*dBxpJ+_Y z(c2vmt8x2Q7QA;`Ytk)a;Rwpcs4{NIEP;8UuukVl@`V`Ev>mnzfFAO5`oQpqxcj{+=a|>yqyZ zMWuwQghyHK)PPWy3e0>NKM=~y_k1C5O{!H9?WF0y0Y7^?z@m{f!pp(H-8Gl$qUS0$gA^Mt{#+51L2 zd3$CLzduy;zY{gvJpiuD|7#z&=idK0KHcm8T|nvm$4te$(1n-T`(NPVr{IdMIUjDj z-O7CKL<~`F;*Txg7%jck`AbQ@#r*GX=64hS)o3;6;=h`Wef-x>;J`hOQOfZ(4^$Ph zfW1{xB1^0Ny@kbJify+B75<+PMx$+e0M?%WPa0MJKRMmM|FIKz{`vnyzD4#PfIpQ7 z!14Yc%m?rW{9kS^_TGTKH((Dh0Hgm&lGFr}XpF%)+I}DF?EjP2+~0pVY47#_PT-*Y zHyzG1u?9}Ld!EU*un+0l*QDeug1dWr@urZ>Yv1IX!x6yU2!Rg*kc|$i}UB#=xPdQOAX$Hs5zwL$Q9`>+@uNnS700960E|HgK0BQgL*od1J literal 0 HcmV?d00001 diff --git a/charts/latest/gmsa/Chart.yaml b/charts/latest/gmsa/Chart.yaml new file mode 100644 index 00000000..7f13ae9d --- /dev/null +++ b/charts/latest/gmsa/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +appVersion: 0.4.0 +description: Windows GMSA Configuration +keywords: +- Windows +- Windows GMSA +- GMSA +- Active Directory +name: gmsa +sources: +- https://github.com/kubernetes-sigs/windows-gmsa +type: application +version: 0.4.1 diff --git a/charts/latest/gmsa/app-readme.md b/charts/latest/gmsa/app-readme.md new file mode 100644 index 00000000..f84e8495 --- /dev/null +++ b/charts/latest/gmsa/app-readme.md @@ -0,0 +1,9 @@ +# Windows GMSA Admission Webhook + +This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa). + +## Prerequisites + +- Active Directory that support Group Managed Service Accounts +- A Group Managed Service Account +- Kubernetes v1.21+ diff --git a/charts/latest/gmsa/templates/_helpers.tpl b/charts/latest/gmsa/templates/_helpers.tpl new file mode 100644 index 00000000..41071a93 --- /dev/null +++ b/charts/latest/gmsa/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* Create chart name and version as used by the chart label. */}} +{{- define "gmsa.chartref" -}} +chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +{{- end }} + +{{/* Determine apiVersion for cert-manager */}} +{{- define "cert-manager.apiversion" -}} + {{- $certmanagerVer := split "." .Values.certificates.certManager.version -}} + {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} +apiVersion: cert-manager.io/v1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} +apiVersion: cert-manager.io/v1beta1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha2 + {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha1 + {{- else }} +apiVersion: cert-manager.io/v1 + {{- end }} +{{- end }} + +{{- define "certificates.cabundle"}} +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}} +{{- if lt (len $secret) 1 -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}} +{{- else -}} +{{- if not (hasKey $secret "data") -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}} +{{- end -}} +{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}} +{{- end -}} +{{- end -}} +{{- get $secret.data "ca.crt" }} +{{- else -}} +INSERT_CERTIFICATE_FROM_SECRET +{{- end -}} +{{- end }} + diff --git a/charts/latest/gmsa/templates/clusterrole.yaml b/charts/latest/gmsa/templates/clusterrole.yaml new file mode 100644 index 00000000..18af8311 --- /dev/null +++ b/charts/latest/gmsa/templates/clusterrole.yaml @@ -0,0 +1,16 @@ +# the RBAC role that the webhook needs to: +# * read GMSA custom resources +# * check authorizations to use GMSA cred specs +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +rules: + - apiGroups: ["windows.k8s.io"] + resources: ["gmsacredentialspecs"] + verbs: ["get", "use"] + - apiGroups: ["authorization.k8s.io"] + resources: ["localsubjectaccessreviews"] + verbs: ["create"] + diff --git a/charts/latest/gmsa/templates/clusterrolebinding.yaml b/charts/latest/gmsa/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..ad71d866 --- /dev/null +++ b/charts/latest/gmsa/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +# bind that role to the webhook's service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }} + apiGroup: rbac.authorization.k8s.io + diff --git a/charts/latest/gmsa/templates/crds/crds.yaml b/charts/latest/gmsa/templates/crds/crds.yaml new file mode 100644 index 00000000..96e09a7a --- /dev/null +++ b/charts/latest/gmsa/templates/crds/crds.yaml @@ -0,0 +1,119 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gmsacredentialspecs.windows.k8s.io + annotations: + "api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa" +spec: + group: windows.k8s.io + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + schema: + openAPIV3Schema: + type: object + properties: + credspec: + description: GMSA Credential Spec + type: object + properties: + ActiveDirectoryConfig: + type: object + properties: + GroupManagedServiceAccounts: + type: array + items: + type: object + properties: + Name: + type: string + Scope: + type: string + HostAccountConfig: + type: object + properties: + PluginGUID: + type: string + PluginInput: + type: string + PortableCcgVersion: + type: string + CmsPlugins: + type: array + items: + type: string + DomainJoinConfig: + type: object + properties: + DnsName: + type: string + DnsTreeName: + type: string + Guid: + type: string + MachineAccountName: + type: string + NetBiosName: + type: string + Sid: + type: string + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + credspec: + description: GMSA Credential Spec + type: object + properties: + ActiveDirectoryConfig: + type: object + properties: + GroupManagedServiceAccounts: + type: array + items: + type: object + properties: + Name: + type: string + Scope: + type: string + HostAccountConfig: + type: object + properties: + PluginGUID: + type: string + PluginInput: + type: string + PortableCcgVersion: + type: string + CmsPlugins: + type: array + items: + type: string + DomainJoinConfig: + type: object + properties: + DnsName: + type: string + DnsTreeName: + type: string + Guid: + type: string + MachineAccountName: + type: string + NetBiosName: + type: string + Sid: + type: string + conversion: + strategy: None + names: + kind: GMSACredentialSpec + plural: gmsacredentialspecs + scope: Cluster + diff --git a/charts/latest/gmsa/templates/credentialspec.yaml b/charts/latest/gmsa/templates/credentialspec.yaml new file mode 100644 index 00000000..c21ce090 --- /dev/null +++ b/charts/latest/gmsa/templates/credentialspec.yaml @@ -0,0 +1,24 @@ +{{- if .Values.credential.enabled -}} +apiVersion: windows.k8s.io/v1 +kind: GMSACredentialSpec +metadata: + name: {{ lower .Values.credential.domainJoinConfig.machineAccountName }} #This is an arbitrary name but it will be used as a reference + labels: {{ include "gmsa.chartref" . | nindent 4 }} +credspec: + ActiveDirectoryConfig: + GroupManagedServiceAccounts: + - Name: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account + Scope: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name + - Name: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account + Scope: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name + CmsPlugins: + - ActiveDirectory + DomainJoinConfig: + DnsName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name + DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name Root + Guid: {{ .Values.credential.domainJoinConfig.guid }} #GUID + MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account + NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name + Sid: {{ .Values.credential.domainJoinConfig.sid }} #SID of GMSA +{{- end -}} + diff --git a/charts/latest/gmsa/templates/deployment.yaml b/charts/latest/gmsa/templates/deployment.yaml new file mode 100644 index 00000000..363fe496 --- /dev/null +++ b/charts/latest/gmsa/templates/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name}} + namespace: {{.Release.Namespace}} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + {{- if .Values.podSecurityContext }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Release.Name }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Release.Name }} + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + imagePullPolicy: {{ .Values.image.imagePullPolicy }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /health + port: {{ .Values.containerPort }} + ports: + - containerPort: {{ .Values.containerPort }} + volumeMounts: + - name: tls + mountPath: "/tls" + readOnly: true + env: + - name: TLS_KEY + value: /tls/key + - name: TLS_CRT + value: /tls/crt + - name: HTTPS_PORT + value: "{{ .Values.containerPort }}" + {{- if .Values.securityContext }} + securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + {{- end }} + volumes: + - name: tls + secret: + secretName: {{ .Values.certificates.secretName }} + items: + - key: tls.key + path: key + - key: tls.crt + path: crt + diff --git a/charts/latest/gmsa/templates/issuer.yaml b/charts/latest/gmsa/templates/issuer.yaml new file mode 100644 index 00000000..4401e76d --- /dev/null +++ b/charts/latest/gmsa/templates/issuer.yaml @@ -0,0 +1,26 @@ +{{- if .Values.certificates.certManager.enabled -}} +{{ template "cert-manager.apiversion" . }} +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + dnsNames: + - {{ .Release.Name }}.{{ .Release.Namespace }}.svc + - {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ .Release.Name }} + secretName: {{ .Values.certificates.secretName }} +--- +{{ template "cert-manager.apiversion" . }} +kind: Issuer +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + selfSigned: {} +{{- end -}} + diff --git a/charts/latest/gmsa/templates/mutatingwebhook.yaml b/charts/latest/gmsa/templates/mutatingwebhook.yaml new file mode 100644 index 00000000..7be62bfe --- /dev/null +++ b/charts/latest/gmsa/templates/mutatingwebhook.yaml @@ -0,0 +1,34 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ .Release.Name }} + {{- if .Values.certificates.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }} + {{- end }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +webhooks: + - name: admission-webhook.windows-gmsa.sigs.k8s.io + clientConfig: + service: + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + path: "/mutate" + {{- if not (.Values.certificates.certManager.enabled) }} + caBundle: {{ .Values.certificates.caBundle }} + {{- end }} + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["*"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + # don't run on ${NAMESPACE} + namespaceSelector: + matchExpressions: + - key: {{ .Release.Namespace }} + operator: NotIn + values: [disabled] + diff --git a/charts/latest/gmsa/templates/service.yaml b/charts/latest/gmsa/templates/service.yaml new file mode 100644 index 00000000..69edcfc5 --- /dev/null +++ b/charts/latest/gmsa/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + ports: + - port: 443 + targetPort: {{ .Values.containerPort }} + selector: + app: {{ .Release.Name }} + diff --git a/charts/latest/gmsa/templates/serviceaccount.yaml b/charts/latest/gmsa/templates/serviceaccount.yaml new file mode 100644 index 00000000..3781108c --- /dev/null +++ b/charts/latest/gmsa/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +# the service account for the webhook +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + labels: {{ include "gmsa.chartref" . | nindent 4 }} + diff --git a/charts/latest/gmsa/templates/validatingwebhook.yaml b/charts/latest/gmsa/templates/validatingwebhook.yaml new file mode 100644 index 00000000..a4fb7bb0 --- /dev/null +++ b/charts/latest/gmsa/templates/validatingwebhook.yaml @@ -0,0 +1,34 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Release.Name }} + {{- if .Values.certificates.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }} + {{- end }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +webhooks: + - name: admission-webhook.windows-gmsa.sigs.k8s.io + clientConfig: + service: + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + path: "/validate" + {{- if not (.Values.certificates.certManager.enabled) }} + caBundle: {{ .Values.certificates.caBundle }} + {{- end }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["*"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + # don't run on ${NAMESPACE} + namespaceSelector: + matchExpressions: + - key: {{ .Release.Namespace }} + operator: NotIn + values: [disabled] + diff --git a/charts/latest/gmsa/values.yaml b/charts/latest/gmsa/values.yaml new file mode 100644 index 00000000..645bf996 --- /dev/null +++ b/charts/latest/gmsa/values.yaml @@ -0,0 +1,34 @@ +certificates: + certManager: + # Enable cert manager integration. Cert manager should be already installed at the k8s cluster + enabled: true + version: "v1.7.1" + # If cert-manager integration is disabled, add self-signed ca.crt in base64 format + caBundle: "" + # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace + secretName: gmsa-server-cert + +credential: + enabled: false + domainJoinConfig: + dnsName: "" #DNS Domain Name + dnsTreeName: "" #DNS Domain Name Root + guid: "" #GUID + machineAccountName: "" #Username of the GMSA account + netBiosName: "" #NETBIOS Domain Name + sid: "" #SID of GMSA + +containerPort: "443" + +image: + repository: k8s.gcr.io/gmsa-webhook/k8s-gmsa-webhook + tag: v0.4.0 + imagePullPolicy: IfNotPresent + +global: + systemDefaultRegistry: "" + +podSecurityContext: {} +securityContext: {} +tolerations: [] +